From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 15 May 2025 15:44:58 +0200
Subject: xml: prevent assignment of attribute value inside any attribute
Origin: https://git.entrouvert.org/lasso.git/commit/?id=8d12e6263fd6add923469bd5704e05a1ccfa8c69
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-47151

---
 lasso/xml/misc_text_node.c                 | 2 +-
 lasso/xml/saml-2.0/saml2_attribute_value.c | 2 +-
 lasso/xml/xml.c                            | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

--- a/lasso/xml/misc_text_node.c
+++ b/lasso/xml/misc_text_node.c
@@ -41,7 +41,7 @@ typedef struct {
 static struct XmlSnippet schema_snippets[] = {
 	{ "content", SNIPPET_TEXT_CHILD,
 		G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL},
-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
 		G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL},
 	{NULL, 0, 0, NULL, NULL, NULL}
 };
--- a/lasso/xml/saml-2.0/saml2_attribute_value.c
+++ b/lasso/xml/saml-2.0/saml2_attribute_value.c
@@ -53,7 +53,7 @@ struct _LassoSaml2AttributeValuePrivate
 static struct XmlSnippet schema_snippets[] = {
 	{ "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT,
 		G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL},
-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
 		G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL,
 		NULL, NULL },
 	{NULL, 0, 0, NULL, NULL, NULL}
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -1569,6 +1569,7 @@ lasso_node_impl_init_from_xml(LassoNode
 				type = snippet->type & 0xff;
 				/* assign attribute content if attribute has the same name as the
 				 * snippet and:
+				 * - the snippet is not the any attribute snippet,
 				 * - the snippet and the attribute have no namespace
 				 * - the snippet has no namespace but the attribute has the same
 				 *   namespace as the node
@@ -1576,6 +1577,8 @@ lasso_node_impl_init_from_xml(LassoNode
 				 */
 				if (type != SNIPPET_ATTRIBUTE)
 					continue;
+				if (snippet->type & SNIPPET_ANY)
+					continue;
 				if (! lasso_strisequal((char*)attr->name, (char*)snippet->name))
 					continue;
 				if (attr->ns) {